Posted
by
ScuttleMonkeyon Monday February 19, 2007 @01:13PM
from the paperweight-maker dept.

Sid writes "Ars Technica reports that the One Laptop Per Child (OLPC) XO has an anti-theft daemon in the OS that can be used to remotely disable machines, much like WGA. The Project added the kill switch at the behest of a few countries concerned about laptop theft. From the report, 'OLPC has responded to such concerns by developing an anti-theft daemon that the project claims cannot be disabled, even by a user with root access. Participating countries can then provide identifying information such as a serial number to a given country's OLPC program oversight entity, which can then disable the devices in certain scenarios.'"

I was able to do this and *much more* with Microsoft operating systems. I was able to turn off the computer, open the CD-ROM drive and even play sounds remotely using utilities such as black orifice or sub-seven.

Like when a bunch of rebels steal all the laptops and start using them for crime? Wouldn't you want to leave the machines running so you could track what they were doing? What situation(s) exactly would warrant shutting off the machines?

In most cases the value to the thief is not in the object itself but in its resale value. If they know that the laptops will be bricked before they can shift them, it might deter some people from swiping them.

In most cases the value to the thief is not in the object itself but in its resale value. If they know that the laptops will be bricked before they can shift them, it might deter some people from swiping them.

It will deter few. I recall looking at computer equipment in a pawn shop. I was excited as I saw some IBM Model M keyboards. Upon inspection I found that the keyboards had not been unplugged, the cables had been cut. I expect many thieves will have difficulty telling OLPC systems from normal system

There is no HDD. There's like 128 MB of RAM, and 512 MB of Flash (expandable). You couldn't sell a 128 MB stick of RAM for any sort of large profit (most retail sticks start at 256 MB or 512 MB), and a removing the flash and consolidating it into something useable to any other product would exceed the costs of bulk flash in the first place. The displays probably need a custom driver. The only thing really useful is the battery, and even that's low-end.

Speakin' of the batteries, I heard these things have some form of crank-generator so you don't need to plug-in. I'd KILL to have that on my $1500 lappy....no worries if I forgot to charge before I left the house or forgot the charger somewhere...just crank it a bit and I'm operational. If I had a $1500 lappy and I saw someone with a $100 lappy with a hand crank, they'd have a hard time keeping it for that reason alone..heh.

Assuming the connectors and the voltages and stuff match up (which I doubt), the handcrank doesn't produce a lot of power. Sure, it's a decent amount in relation to the ultra-low-power OLPC, but it's not gonna do much compared to a Merom or Turion with 1-2 GB of RAM and a HDD with a full color display. I mean, I bet the crank-time-to-powered-time ratio would be essentially reversed at best (you'd spend twice the time cranking that you'd get in battery time).

How hard is to take out a simlock from a mobile? Guess how hard it will be to reflash the memory to get rid of this daemon?You guessed correctly - in no time. That technology should be incorporated in hardware (something like in Thinkpads).And another thing - they will steal it - just for a spare parts for other ones. Plus guess how many will be blacklisted, and how many left alone because nobody would care to go to speak with corrupted police?They go to third world, there everything is possible. Company I

It will deter few. I recall looking at computer equipment in a pawn shop. I was excited as I saw some IBM Model M keyboards. Upon inspection I found that the keyboards had not been unplugged, the cables had been cut.

If you're looking for a Model M, Unicomp [wikipedia.org] still makes them.

That makes it too tempting to give the laptops to people you want monitored- For instance, I could give it to random kids, and then figure out their schedules, where they live, and when they are alone in the house. And that's just scratching the surface- give me some time and I can think of worse abuses you could do with some sort of monitor on the computers.

De-activating the laptops prevents people from stealing and using them, but it also means that if some hostile person has access to your shutdow

The monitor only lets the OLPC authority shutdown the machine IF the anti-theft server says the machine has been stolen, OR the laptop is kept from accessing the server for more than x days (21 I think). And the daemon CAN be disabled, if the child requests the developer key from the OLPC authority (theres a 7 day wait to make sure the laptop wasn't stolen between the request and giving the key). The laptop uses code signing to prevent the operating system from being permanently modified (if you have the master key(s), or the developer key, you can modify it as much as you want, if you don't you can modify most of it but only in a copy of the system files, its a very nice way to allow most of the system to be modifiable by the kids, but if they bork it, you can just reset to using the original system files (assuming you didn't modify the original using the master/developer keys).

Now if the thief steals the developer key with the laptop, then the daemon is useless (unless they're too slow), and in the BitFrost document they acknowledge that theres is no way they can guarantee no laptops will be stolen, just try and discourage the thiefs.

I couldn't agree more. The first thing I thought of when I saw this was "Oh boy, if they can't own the internet at least they can own the individual machines connected to it." This whole scenario begs for slippery-slope abuse - we already have lots of background on how fair these 3rd (& 2nd & 1st) world governments like to play when it comes to controls over citizens. I think this is an extremely bad idea and will take some serious convincing to ever feel otherwise.

They're shipping them prepaid to countries where the authorities are highly corrupt and the laptops are highly in demand in the US. You'd expect criminals in those countries to buy the shipments off the authorities and sell them on ebay for as much as possible back in the US. If they have a kill switch it should discourage this I guess, assuming someone high up in the country gives a shit about what's happened.

I think it's more like the car stereos that are "theft resistant" because, once removed from the car, they require some sort of master password to re-activate. I don't know much about stereo theft, but I can only assume that most thieves have ways around this (probably just swiping the car's manual out of the glovebox when they take the radio).

But that's basically the idea; it hopefully makes the item just unattractive enough for a thief, so they move on to easier pastures.

Maybe off-topic, but my in-car DVD player has a removeable face that supposedly is coded and all of that and only replaceable by Phillips, yatta yatta yatta, but if you push in the lever on the front, the thing fires up and works like a charm. I did have a Kenwood MD/CD player that was definitely coded, but I didn't have access to another front panel to test that for sure, but it most definitely didn't work by pressing the contact switch, it just beeped a warning beep.This is not to say that OLPC's thing is

OK, I teach in a public school. My computers often are shut down for 21 days or more... like over vacations. And with intermittent internet connectivity is often down for two months. That's here in a California public school!

And school thieves steal things with zero street value, including keyboards, cables, and AC power cords. Heck, someone stole three VGA monitors over winter break, saving us $30 in dump fees.

The potential for abuse here is pretty high. If the controlling government (Read: whoever controls the Internet connection and licensing servers, so maybe a corporation) wants to keep the people in line, they can just threaten to turn everyone's laptop off. If an invading nation wants an information blackout, shut everyone's laptop out.

Traditionally, the first thing you do when you invade is to bomb the television station.This is becoming less effective now that people have access to alternative sources of information: shutting down everyone's computers will be a valuable tool for invading armies, along with anti-satellite weapons for taking out satellite TV.

No, but given that common first moves in a full-scale invasion tend to include taking out of telephone, radio, television and other communications infrastructure, you'd expect that now to include internet resources. A remotely-activated kill switch installed in a significant proportion of PCs would certainly make that easier.

Remember, you don't have to take out *all* lines of communication to everyone, just enough that proper communication (and so o

(Read: whoever controls the Internet connection and licensing servers, so maybe a corporation)

Uh-uh. Corporations - evil themselves. And when it comes to unprivilegeded, poor africa children, these entities of evil will be in line to throw the kill switch on the laptops. Beware of the corporations!

Newsflash: In the part of the world where things are actually bad, the problem is not with CEOs. They are with who ever happend to throw a revolution that week, and tell the army to start killing people from whate

The potential for abuse here is pretty high. If the controlling government (Read: whoever controls the Internet connection and licensing servers, so maybe a corporation) wants to keep the people in line, they can just threaten to turn everyone's laptop off

They can also selectively shut-off laptops - just enter the serial numbers of laptops in a village that didn't vote for you, into the license server...

That's a nice hope, but it's not true. Any file based DRM that is functional on general purpose computers can be cracked. This is a security solution rather than DRM, and it's implemented on custom hardware.

In this case the security system is intended to protect *physical hardware* not data or tampering. They don't have to make it theoretically impossible to break, they just have to make it significantly more expensive to crack than the resale value of the device - that's damn easy.

For a pure-software system like many DRM schemes, once one person has cracked the system they can release a program to do it. After that, cracking additional instances of that system is free.

With a well built theft-deterrent system based on tamper proof hardware, you've got to do a hardware crack every time. If you can make the hardware crack difficult enough, you can make it so that it requires a competent hardware guy hours for each and every unit that needs to get cracked. Think about modchipping x-boxe

"But pushing the envelope on both security and usability is a tall order, and as we state in the concluding chapter of this document, we have neither tried to create, nor do we believe we have created, a "perfectly secure" system. Notions of perfect security are foolish, and we distance ourselves up front from any such claims."

Software protection?
Hmm, I believe the correct response would be ROFLMAO*. Seriously, what the frak? That's like saying they will put Windows on it so that no-one can pirate CDs thanks to it's protection.

Not if the lock is in firmware on a chip somewhere simular to Tivo's DRM. But then It cannot run GPLv3 code after this. Such a pitty.

Unless they alread thought about this and are using the same provisions that lets GPLv3 code work with a GPLv2 kernel and call it an agregate. Then the point of the GPLv3 restrictions are usless if the lock only stops the GPLv2 code from working.

And to all those thay want to say But the GPLv3 says this, The GPLv2 says "no further restrictions can be applied". And restrictions in a GPLv3 license whatever the final release is, has to honor this unless it is actualy incompatible and can no longer be used with GPLv2 code. You can have the cake, eat the cake but you need to assemble the ingredients to make the cake before any of that happens.

The mechanism the laptop will use IS like the Tivo DRM (in fact there was a discussion on lwn whether Bitfrost is drm or not, and whether it would violate the GPLv3 or not). I believe Bitfrost WILL be GPLv3 compliant because the owner of the machine can request a developer key which will allow them to modify anything on the system (even remove the daemon). To prevent the thief from just requesting the developer key theres a 7 day waiting period (to confirm that the laptop hasn't been stolen) and then the

The mechanism the laptop will use IS like the Tivo DRM (in fact there was a discussion on lwn whether Bitfrost is drm or not, and whether it would violate the GPLv3 or not). I believe Bitfrost WILL be GPLv3 compliant because the owner of the machine can request a developer key which will allow them to modify anything on the system (even remove the daemon). To prevent the thief from just requesting the developer key theres a 7 day waiting period (to confirm that the laptop hasn't been stolen) and then the k

...the owner of the machine can request a developer key which will allow them to modify anything on the system (even remove the daemon).

Who, then, is the owner of the machine? The school (or some other government institution) or the child?
Obviously, most children will not have the computer skills to need this daemon disabled, but kids in Eastern Europe have certainly proven themselves to have such skills. Will keys be issued to compotent kids who request them? Or will the kids only be considered ren

If you read the spec (yeah I know, this is/., no one actually reads), the daemon is marked 'special' by the kernel (due to a custom kernel mod), and can't be killed, even by root. The kernel and bootloader are both signed and checked by the hardware on boot, so if a potential thief tries to run their own kernel, the laptop will fail to boot.

For kids who get a little more advanced and want to mess with the kernel or bootloader of their laptop, they can apply for a special 'developer key' that will allow

So, does this mean that the OLPC project is going to need a back-end infrastructure to support this Daemon? With the amounts of laptops considered in this project, that means that a pretty large back-end infrastructure is going to be needed to support this process.

In addition, there's going to need to be a tremendous amount of "process defintion" for something of this scale. What constitutes a "stolen" laptop in this case? How is it reported? To Whom? Who is ultimately responsible?

Sounds like a massive undertaking and far from clearly defined, other than a "Daemon is available."

RSA? That old dog has still got some life in it yet. Their specific implementation of RSA and how it interfaces with the mechanism for actually throwing the kill switch? Maybe. Depends on whether the crypto validation happens in software or in hardware; in the latter case, they could actually do the crypto in hardware (low-performance RSA hardware implementations are dirt cheap) and not provide any other mechanism to trigger the kill switch -- thus, in this situation there would exist no possibility for the software to be hacked to bypass that check.

This isn't like software-based DRM, where the decrypted bits need to be fed back into a fully programmable mechanism somewhere. This is a security device built into a dedicated hardware system; if done right, it need not have any of the vulnerabilities 'yall around here are accustomed to.

Hacking the HQ is easy to avoid -- just like with any important key, you don't keep the system online; when you need to do work on it, you move your data on and off via static media (my employer uses a USB key for moving CSRs onto and certificates off of our fully disconnected CA). The HQ being ransacked is a slightly different matter, but given that it's located in a 1st-world country with an effective police force, that kind of thing doesn't happen so often.

Sounds to me like a convenient way to gag someone that a government doesn't want to be heard. "Are they making derrogatory comments about the leadership? Well then, just turn their computer off."

I suppose, it probably will only be a matter of time before some individual will figure out (in their mind) that this is a good way to extort money from someone else. "Send me $nn or I will disable your computer(s)." Then again, if they're using a $100 laptop given to them, what money would there be to extort?

Sounds to me like a convenient way to gag someone that a government doesn't want to be heard. "Are they making derrogatory comments about the leadership? Well then, just turn their computer off."

What the hell? This computer is intended for KIDS. If your government is so worried about "free speech" that they need to censor kids an teenagers, then you have a very serious problem. Or a president with a very small dick.

Well, maybe they thought it would be a great way to distribute and instill their propaganda in the impressionable minds of that country's youth. Of course, there will always be a few outliers exhibiting independent thought. They must be quelled and dealt with "appropriately".

As an Indian from a relatively unconnected neck of woods, I love the OLPC project and what it might do to the future students of this world - and I've even played around with an OLPC for thirty minutes [flickr.com]. But this particular feature annoys me a bit. I quote from the article.

the system allows countries to optionally establish a "license" period for the laptops, such as 21 days.When laptops are connected to the Internet, they will synchronize with an NTP server to obtain the correcttime and date, and then obtain a license which must be renewed in the time specified. Laptops which are notrenewed within the timeframe will lock.

As I mentioned before, the whole concept of an unconnected laptop or one with minimal internet access (i.e wireless mesh) goes for a toss with this feature. The worst of the activation features which windows has, negating the real advantage of having a laptop you could take literally anywhere. Locking out someone just because they couldn't hook their PC into the network for twenty days is no way to make OLPC work. The real way to keep them off the black market is to reward those who keep their machines intact - just like the way to get kids to come to school has been a free lunch programme (and I sit in an Indian state with 99% literacy rates).

Or if you're really interested in reducing the utility of the machines, send an access code to the school master every month - for the laptops to get on the internet.
You need to go pick up the coupon to get back on the internet and just kick the ones which are reported missing in audits - rather than go in for an active licensing scheme as mentioned in the document.

But in general, technical solutions for social (as well as economic) problems hardly work out, by themselves.

I think the important point is that the OLPC project "allows countries to optionally establish a license period". I agree that it is hardly ideal, but it is being offered as an option because some countries demanded a feature of this kind. Other countries aren't quite so silly and won't enable the option. I think realistically one of the greatest theft deterrents for the XO machines is that they are seriously targetted towards young children. Sure there are geeks on Slashdot who would love to get their hand

It will be used to shut off the machines of disadents. Governments don't seem to care that much about machines being stolen, but they do care about giving power to political opponents. If I buy a machine, I should have complete control of it. No one should be able to remotely turn off the machine without my explicit authorization. I can't think of any way to make a feature like this safe from abuse.

The kill switch, and whether there is one, is controlled by whoever bought the laptops. The OLPC project is based on governments buying laptops and distributing them to children. The governments care a whole lot about whether the laptops they are giving to children in public schools are going to tempt bands of dissidents to pillage schools for the black-market resale value of the spoils. They also care about whether the shipments of laptops are going to make it to the schools at all without being hijacked b

I have to say, I don't like the decidedly big-brother tilt the OLPC project has been taking lately. With all the news [slashdot.org] that has come out lately on OLPC, the whole "users will be able to read/understand/modify its source code" stance seems to have gone away.

If I can read and compile the O/S, who's to say I can't just remove the kill daemon from my build and then install it? In order to be robust, they'll have to lock down the installed software and make it impossible for the user to change. No community development; no share-and-share-alike; no software libre, counter to the whole "open source" philosophy they tout as the project's base.

This isn't a hacker's dream toy; its a business proposition to sell expensive supporting infrastructure and services along with a loss-leading locked-down client device disguised as charity in the name of educating the poor.

> If I can read and compile the O/S, who's to say I can't just remove the kill daemon from my build and then install it?

Nothing at all. The article is misleading -- if you want to remove the anti-theft daemon you can, by clicking a button to request a developer key that gives you full access to the machine and its BIOS. Then you can run whatever you like.

If your machine has been reported stolen, though, the developer key won't be issued. So, it's a sensible tradeoff between restricting people from exp

Not really, This is at the request of the people who will be buying it and distributing it to the people. It won't even be enabled if your one of the people who buy it outright or live in a country without te requirment.

And I personaly don't see anything wrong for someone who is buying the device to expect it to be used in a certain way when it is given to the intended recipients. If someone doesn't agree, buy it yourself without the restrictions. It is that simple. And the choice is there.

And can we please remember that it's One Laptop Per Child, and not One Laptop Per Slashdot-reading Guerilla Geek? Any abuse regarding deactivation of the laptops is more likely to be carried out by confiscation of the laptop by school personal.

Also, the feature can be disabled with a Developer Key from OLPC:

1018 The anti-theft system cannot be bypassed as long as P_SF_CORE is enabled (and
1019 disabling it requires a developer key). This, in effect, means that a child is
1020 free to do any modification to her machine's userspace (by disabling P_SF_RUN
1021 without a developer key), but cannot change the running kernel without
1022 requesting the key. The key-issuing process incorporates a 14-day delay to
1023 allow for a slow theft report to percolate up through the system, and is only
1024 issued if the machine is not reported stolen at the end of that period of time.

When this (old [slashdot.org]) news [wired.com] first came out, I posted this gloom and doom [slashdot.org] comment, but after reading the spec, I realized that the picture was more complicated than my comment, or the summary above, indicates.

The anti-theft system cannot be bypassed as long as P_SF_CORE is enabled (and disabling it requires a developer key). This, in effect, means that a child is free to do any modification to her machine's userspace (by disabling P_SF_RUN without a developer key), but cannot change the running kernel without requesting the key. The key-issuing process incorporates a 14-day delay to allow for a slow theft report to percolate up through the system, and is only issued if the machine is not reported stolen at the end of that period of time.

My earlier concerns were that this funcitonality was the same type of call-home spying and TPM kill-switch control that MSFT in its most evil moments would love to have over all of its users and that OLPC had totally screwed the pooch.

The spec makes it seem a bit more like a maximally secure default setting, whose override is difficult but still accessible. They are simply storing the lock (the laptop) and the key (the developer key) in different places. The keys won't be given out if the lock has been reported stolen, but if not, they are available to the machine's owner.

Something about this still worries me, though. The developer key makes this system radically different from something like the WGA's phone-home spyware "feature" in that it can be disabled by the machine's owner, but given that the default setting is so hard to override, is the effect really all that different? Is this going to screw over less techical users who make a mistake and somehow manage not to "renew their lease" frequently enough? Worst of all, if something goes wrong with the centrally-managed key distribution system, millions of kids will be left with fully locked down, unhackable, TPM machines that will brick in an instant if they wait too long to phone home to the server of a government that may be more interested in censoring them than empowering them.

I'd be curious to hear what Stallman has to say about this project, especially this aspect of the security system. I think everything else about this project would suit even his lofty standards to a tee, but I think OLPC is walking a fine line with this anti-theft system.

What"s with this "slave the user's machine to the mothership" mentality? "The system allows countries to optionally establish a "license" period for the laptops, such as 21 days. Laptops which are not renewed within the timeframe will lock." Get too far from the local wireless node and your machine dies? And they want to deploy this in third world countries?

That makes life easier for terrorists. The Taliban, which is coming back in Afghanistan, is going to exploit this. Destroy the local school (standard Taliban operating procedure) and its wireless node, and all the kids' computers die. Today at least the parents and kids can hide some books. With OLPC, it's easier for Islamic fundamentalists to destroy knowledge.

Maybe they shouldn't be so quick to disable or even interrupt service to stolen laptops. Even in the wrong hands, these laptops are not that useful for anything besides learning. Who knows how children of the rebels would be transformed by learning to program Linux.

Call me a sceptic but I don't think that theft has anything to do with the motivations for this "value add" here. Afer all, you could always take out the hard drive if the data is what you wanted (assuming unencrypted). You can reformat the hard drive and reinstall puppy linux if you just wanted the hardware. Data could be encrypted to keep people from stealing data. So what does "disabling" the laptop OS do to deter "theft"? With a techie, (or even a smart high school student) absolutely NOTHING. It won't

If these computers can be bricked it they're stolen, then they're less likely to be stolen.
Although these are 'low cost' to most of us, in many of the places they're going, these are going to be comparatively expensive bits of kit (and easily the most expensive item a child is going to be carrying about).
Anyway, if the laptop can be made just a bit less stealable, then the child carrying it is that little bit safer - which is surely slightly more important than a load of self-righteous geeks blathering on